A Comprehensive Approach to Detect and Block the Struts Critical Vulnerability CVE-2017-5638

With hackers taking advantage of the Apache Struts vulnerability and aggressively attacking enterprises worldwide, Qualys can protect your organization from this critical bug, which is hard to detect and difficult to patch.

The Lowdown on the Vulnerability

In its emergency security alert, Apache classified the vulnerability in Struts’ Jakarta Multipart parser as high risk, warning of remote code execution (RCE) attacks, which can lead to complete system compromises.

Specifically, the affected parser – present in Struts 2.3.5 to 2.3.31, and in 2.5 to 2.5.10 — mishandles file upload, which lets remote attackers execute arbitrary commands via a #cmd= string in a specially crafted Content-Type HTTP header, as described in the vulnerability’s CVE-2017-5638 entry.

In our own detailed analysis, we noted that exploits of this vulnerability don’t necessarily require upload functionality to be implemented on a web app, and that they can be carried out with only the presence of a vulnerable library.

Tackle Struts with Qualys

While the solutions sound straightforward on the surface — upgrade to Struts version 2.3.32 or 2.5.10.1, or switch to a different implementation of the parser – detecting the bug can be tricky for organizations, and patching it can be complicated and time consuming.

But Qualys can help you protect your organization. With AssetView, ThreatPROTECT, Vulnerability Management, Web Application Scanning and Web Application Firewall all bundled together in Qualys Suite, you can find Struts in your environment quickly, comprehensively and at scale, as well as shield your organization from Struts attacks while you identify and patch vulnerable systems.

AssetView and ThreatPROTECT

Qualys AssetView quickly gives your IT and security teams a complete, up-to date view of all Apache Struts servers in your environment. A centrally managed service, AssetView can monitor all Apache Struts images inside and outside of the environment, including within elastic clouds.

Using its unique asset tagging feature, you can build a dynamic tag to keep track of all Apache Struts servers. This tag will be continuously updated in real-time to flag any new Apache Struts servers that might pop up in the environment.

Meanwhile, Qualys ThreatPROTECT with its live feed gives you a quick view of all of your assets that have this Struts vulnerability, as well as a technical writeup from Qualys Vulnerability Labs detailing the vulnerability and current exploits.

Comprehensive Detection with VM and WAS

Qualys offers two mechanisms to detect Struts whether it resides on an internet-facing web server or within an internal network or in the cloud.

Vulnerability Management (VM)

Qualys has released QID 11771, which can be found using a standard Qualys Vulnerability Management scan against your web servers. This solution may be leveraged when form-based authentication is not necessary and the default location of Struts .action and/or .do remains constant. This VM check can be utilized at extremely large scale and efficiency.

UPDATE: QID 11771 now supports Tomcat authentication on Linux and Unix hosts. This added detection looks for “struts core” jar files in deployed web applications directories and lib folder of the Tomcat server. Once it successfully finds the jar file, version information is extracted from that jar files and compared.

Qualys also offers QID 45258 and QID 45257 which could be useful in discovering where struts is installed:

45258 Apache Struts Detected On Linux Under Common Directories

45257 Apache Struts Detected On Windows Under Common Directories

These are informational QIDs, so they don’t find any vulnerability, but rather help in determining where struts could be installed.

Web Application Scanning (WAS)

If form authentication and non-default paths and redirects are utilized within your Apache environments, Qualys Web Application Scanning is the ideal solution.

Not only can Qualys WAS perform complex authentication methods, it also offers an enhanced crawling engine to locate those hard to find directories.

The ability to crawl is paramount in properly finding, testing and detecting this vulnerability across your entire IT infrastructure and application environments.

This method of testing will allow you to detect this vulnerability at scale. QID 150173 has been added to WAS to cover this vulnerability specifically, and is included with Vulnsigs version 2.3.560-6 / WAS-4.1.96-1 and later.

You can confirm your version of WAS by going to Help > About from the WAS module.

Our Detection Methodology:

The detection makes use of the Content-Type HTTP header to send a specially crafted packet. The header is shown below:

The request asks the webserver to multiply two numbers and can be used to request the web server to perform any other operation. In the example above the two numbers are 3195 and 5088. If the scanner received the correct answer from the webserver, i.e. 16256160 in this example it is concluded that the server is vulnerable and the response (with the request) is shown in the Wireshark screen capture below. The multiplication answer is in the HTTP response header.

Protect and Defend with Web Application Firewall (WAF)

Qualys Web Application Firewall adds the ability to easily block this vulnerability when upgrades or changes cannot be made due to change control or the possibility of breaking existing installations or legacy uses.

As you can see, a wide variety of custom rule conditions can be used to meet the specific security needs of your application.

It is important to note that the presence of vulnerable library is enough to exploit the vulnerability. The web application doesn’t necessary need to implement file upload functionality to exploit this vulnerability.